The Hitchhikers Guide to the SHA-3 Competition Orr Dunkelman - - PowerPoint PPT Presentation

History First Second Third

The Hitchhiker’s Guide to the SHA-3 Competition

Orr Dunkelman Computer Science Department University of Haifa

4 July, 2012

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 1/ 46

History First Second Third

Outline

1

History of Hash Functions What is a Hash Function The MD/SHA Family of Hash Functions A(n Extremely) Short History of Hash Functions

2

The First Phase of the SHA-3 Competition Timeline The SHA-3 First Round Candidates

3

The Second Round The Second Round Candidates The Second Round Process

4

The Third Round The Finalists Current Performance Estimates Security of the SHA-3 Finalists The Outcome of SHA-3

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 2/ 46

History First Second Third HF MD5/SHA1 History

Outline

1

History of Hash Functions What is a Hash Function The MD/SHA Family of Hash Functions A(n Extremely) Short History of Hash Functions

2

The First Phase of the SHA-3 Competition Timeline The SHA-3 First Round Candidates

3

The Second Round The Second Round Candidates The Second Round Process

4

The Third Round The Finalists Current Performance Estimates Security of the SHA-3 Finalists The Outcome of SHA-3

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 3/ 46

History First Second Third HF MD5/SHA1 History

What is a Hash Function?

[DH76] There is, however, a modification which eliminates the expansion problem when N is roughly a megabit or more. Let g be a one-way mapping from binary N-space to binary n-space where n is approximately 50. Take the N bit message m and

• perate on it with g to obtain the n bit vector m′.

Then use the previous scheme to send m′. . .

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 4/ 46

History First Second Third HF MD5/SHA1 History

What is a Hash Function? (cont.)

◮ (Cryptographic) Hash Functions are means to securely

reduce a string m of arbitrarily length into a fixed-length digest.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 5/ 46

History First Second Third HF MD5/SHA1 History

What is a Hash Function? (cont.)

◮ (Cryptographic) Hash Functions are means to securely

reduce a string m of arbitrarily length into a fixed-length digest.

0x256C795AC8222D4F90EA836D69687B68

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 5/ 46

History First Second Third HF MD5/SHA1 History

What is a Hash Function? (cont.)

◮ (Cryptographic) Hash Functions are means to securely

reduce a string m of arbitrarily length into a fixed-length digest.

0x6CA0B3C905C0DDABA60E08BFA9A9B8BD

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 5/ 46

History First Second Third HF MD5/SHA1 History

What is a Hash Function? (cont.)

◮ The main problem is the definition of securely. ◮ For signature schemes, two basic requirements exist: 1 Second preimage resistance: given x, it is hard to find x′

s.t. h(x) = h(x′).

2 Collision resistance: it is hard to find x1, x2 s.t.

h(x1) = h(x2).

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 6/ 46

History First Second Third HF MD5/SHA1 History

What is a Hash Function? (cont.)

◮ The main problem is the definition of securely. ◮ For signature schemes, three basic requirements exist: 1 Preimage resistance: given y = h(x), it is hard to find x

(or x′, s.t., h(x′) = y).

2 Second preimage resistance: given x, it is hard to find x′

s.t. h(x) = h(x′).

3 Collision resistance: it is hard to find x1, x2 s.t.

h(x1) = h(x2).

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 6/ 46

History First Second Third HF MD5/SHA1 History

What is a Hash Function? (cont.)

◮ Hash functions were quickly adopted in other places:

◮ Password files (storing h(pwd, salt) instead of pwd). ◮ Bit commitments schemes (commit — h(b, r), reveal —

b, r).

◮ Key derivation functions (take k = h(gxy mod p)). ◮ MACs (long story). ◮ Tags of files (to detect changes). ◮ Inside PRNGs. ◮ Inside protocols (used in many “imaginative” ways). ◮ . . . Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 7/ 46

History First Second Third HF MD5/SHA1 History

What is a Hash Function? (cont.)

The Hitch Hiker’s Guide to the Galaxy has a few things to say on the subject of hash functions. A hash function, it says, is about the most massively useful thing a cryptographer can have. Partly it has great practical value — you can use it to replace random oracles in real protocols when you need them; you can use them to make signatures faster; you can use it along with salts to have better password files; you can commit to bits using it; you can derive keys using it; produce pseudo random numbers using it; authenticate data with it, and of course, just hash the data when you need a digest. More importantly, a hash function has immense psychological value. For some reason, if a strag (strag: non-cryptographer) discovers that a cryptographer has his hash function with him, he will automatically assume that he is also in possession of a symmetric-key encryption, a public-key encryption, a voting protocol, a zero-knowledge protocol, etc.

• etc. Furthermore, the strag will then happily implement for the

cryptographer any of these or a dozen other protocols that the cryptographer is too “busy” do himself. What the strag will think is that any cryptographer who can design protocols, follow bits, avoid differentials, and SAT solvers, and still knows where his hash function is is clearly a man to be reckoned with.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 8/ 46

History First Second Third HF MD5/SHA1 History

The MD/SHA Family

◮ Started with Rivest’s MD4. ◮ Following a few cryptanalytic attempts, was upgraded to

MD5.

◮ MD5, also known to many as md5sum generate tags of

128 bits.

◮ Became very popular given its high speed, alleged

security, and lack of true competition. . .

◮ Later, it was used as the basis for the SHA-0 and SHA-1

hash functions.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 9/ 46

History First Second Third HF MD5/SHA1 History

The MD5 Hash Function

◮ To hash a message M the following steps are performed: 1 M is padded with ‘1’ as many 0’s as needed (up to 512)

and the original length of M encoded in 64 bits, such that the length of the padded message pad(M) is divisible by 512.

2 pad(M) is divided into ℓ blocks of 512 bits, i.e.,

pad(M) = m1, m2, . . . , mℓ.

3 The 128-bit chaining value h0 is initialized. 4 For i = 1, 2, . . . , ℓ, hi = H(hi−1, mi) (the compression

function is applied).

5 The output is hℓ

f f f f f f IV h(M) mℓ m m m m

i 3 2 1 Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 10/ 46

History First Second Third HF MD5/SHA1 History

The MD5 IV

◮ The internal state (chaining value) of MD5, is treated as

four words of 32-bit each: A, B, C, D.

◮ The initial value h0 is:

A = 0x67452301 B = 0xEFCDAB89 C = 0x98BADCFE D = 0x10325476 (this initial value is given in a little-endian manner)

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 11/ 46

History First Second Third HF MD5/SHA1 History

The MD5 Compression Function

◮ Let hi−1 = (A0, B0, C0, D0). ◮ Let the message block be Mi = (W0, W1, . . . , W15) ◮ For i = 0, 1, . . . , 63: 1 Di+1 ← Ci 2 Ci+1 ← Bi 3 Bi+1 ← Bi + (Ai + Fi(Bi, Ci, Di) + Ki + Wg(i)) ≪ si 4 Ai+1 ← Di ◮ hi ← (A0 + A64, B0 + B64, C0 + C64, D0 + D64).

All additions are modulo 232, and ≪ stands for rotation to the left.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 12/ 46

History First Second Third HF MD5/SHA1 History

The MD5 Compression Function

A0 B0 C0 D0

⊞

K1

⊞

W1

⊞

f1

≪ s1

⊞ ⊞

Ki

⊞

Wi

⊞

fi

≪ si

⊞

Feed Forward

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 13/ 46

History First Second Third HF MD5/SHA1 History

The MD5 Compression Function (cont.)

◮ Each round, a different message word is used, a different

round constant is used, and a different function and rotations:

0 ≤ t ≤ 15: ft(X, Y , Z) = XY ∨ (¬X)Z g(t) = t 16 ≤ t ≤ 31: ft(X, Y , Z) = XY ∨ (¬Z)X g(t) = (5 · t + 1) mod 16 32 ≤ t ≤ 47: ft(X, Y , Z) = X ⊕ Y ⊕ Z g(t) = (3 · t) mod 16 48 ≤ t ≤ 63: ft(X, Y , Z) = Y ⊕ (X ∨ ¬Z) g(t) = (7 · t) mod 16

The set of constants Ki is based on sin: Ki = ⌊| sin(i + 1)| · 232⌋

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 14/ 46

History First Second Third HF MD5/SHA1 History

The MD5 Compression Function (cont.)

The rotation constants (si) are

Rotation Constants 7 12 17 22 7 12 17 22 7 12 17 22 7 12 17 22 5 9 14 20 5 9 14 20 5 9 14 20 5 9 14 20 4 11 16 23 4 11 16 23 4 11 16 23 4 11 16 23 6 10 15 21 6 10 15 21 6 10 15 21 6 10 15 21

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 15/ 46

History First Second Third HF MD5/SHA1 History

The Shortcomings of the MD/SHA Family

◮ First of all, these hash functions are Merkle-Damg˚

ard

• nes, susceptible all the attacks on such hash functions.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 16/ 46

History First Second Third HF MD5/SHA1 History

The Shortcomings of the MD/SHA Family

◮ First of all, these hash functions are Merkle-Damg˚

ard

• nes, susceptible all the attacks on such hash functions.

◮ Most of the nonlinearity is introduced either in addition or

locally (bitwise operations).

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 16/ 46

History First Second Third HF MD5/SHA1 History

The Shortcomings of the MD/SHA Family

◮ First of all, these hash functions are Merkle-Damg˚

ard

• nes, susceptible all the attacks on such hash functions.

◮ Most of the nonlinearity is introduced either in addition or

locally (bitwise operations).

◮ An immediate consequence — easy to approximate the

algorithm as a linear.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 16/ 46

History First Second Third HF MD5/SHA1 History

The Shortcomings of the MD/SHA Family

◮ First of all, these hash functions are Merkle-Damg˚

ard

• nes, susceptible all the attacks on such hash functions.

◮ Most of the nonlinearity is introduced either in addition or

locally (bitwise operations).

◮ An immediate consequence — easy to approximate the

algorithm as a linear.

◮ Easy to define the conditions when the approximation

holds.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 16/ 46

History First Second Third HF MD5/SHA1 History

The Shortcomings of the MD/SHA Family

◮ First of all, these hash functions are Merkle-Damg˚

ard

• nes, susceptible all the attacks on such hash functions.

◮ Most of the nonlinearity is introduced either in addition or

locally (bitwise operations).

◮ An immediate consequence — easy to approximate the

algorithm as a linear.

◮ Easy to define the conditions when the approximation

holds.

◮ Along with a simple message expansion, relatively slow

diffusion, and many cool techniques∗ one can offer differentials with high probability that lead to collisions.

∗multi-block collision, neutral bits, message modification, advance

message modification, generalized differentials, amplified boomerang attack.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 16/ 46

History First Second Third HF MD5/SHA1 History

A(n Extremely) Short History of Hash Functions

1976 Diffie and Hellman suggest to use hash functions to make digital signatures shorter. 1979 Salted passwords for UNIX (Morris and Thompson). 1983/4 Davies/Meyer introduce Davies-Meyer. 1986 Fiat and Shamir use random oracles. 1989 Merkle and Damg˚ ard present the Merkle-Damg˚ ard hash function. 1990 MD4 is introduced by Rivest. 1990 N-Hash is almost broken by differential cryptanalysis. 1992 MD5 is introduced by Rivest. 1993 Preneel, Govaerts, Vandewalle study block-cipher based hashing. 1993 Bellare & Rogaway formally introduce random oracles.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 17/ 46

History First Second Third HF MD5/SHA1 History

A(n Extremely) Short History of Hash Functions

1993 SHA-0 is introduced. 1995 SHA-1 is introduced. 1997 SHA-0 is broken by Chabaud and Joux. 1999 Dean’s long second preimage attack on Merkle-Damg˚ ard. 2001 SHA-2 is introduced. 2004 Joux’s multicollision attack. 2004 Wang introduces attacks on MD4, MD5. 2005 Collision attacks on SHA-0 and SHA-1. 2006 Kelsey & Kohno’s herding attack. 2007 Preimage attacks on reduced-round SHA-1. 2007 SHA-1 Collision BOINC project starts.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 18/ 46

History First Second Third HF MD5/SHA1 History

The State of Affairs in 2007

Hash Collisions 2nd Preimage Preimage MD4 By hand — — MD5 224 — — SHA-0 (80 rounds) 239 up to 50 rounds up to 50 rounds SHA-1 (80 rounds) 263–269 up to 45 rounds up to 45 rounds SHA-256 (64 rounds) up to 24 rounds — — SHA-512 (80 rounds) up to 24 rounds — —

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 19/ 46

History First Second Third HF MD5/SHA1 History

Our Options

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 20/ 46

History First Second Third HF MD5/SHA1 History

Our Options

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 20/ 46

History First Second Third Timeline Candidates

Outline

1

History of Hash Functions What is a Hash Function The MD/SHA Family of Hash Functions A(n Extremely) Short History of Hash Functions

2

The First Phase of the SHA-3 Competition Timeline The SHA-3 First Round Candidates

3

The Second Round The Second Round Candidates The Second Round Process

4

The Third Round The Finalists Current Performance Estimates Security of the SHA-3 Finalists The Outcome of SHA-3

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 21/ 46

History First Second Third Timeline Candidates

The First Phase of the SHA-3 Competition

◮ January 2007: NIST announces that a SHA-3

competition will be held. Asks the public for comments.

◮ November 2007: NIST publishes the official rules of the

competition.

◮ August 2008: First submission deadline. ◮ October 2008: The real deadline.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 22/ 46

History First Second Third Timeline Candidates

The First Phase of the SHA-3 Competition

◮ January 2007: NIST announces that a SHA-3

competition will be held. Asks the public for comments.

◮ November 2007: NIST publishes the official rules of the

competition.

◮ August 2008: First submission deadline. ◮ October 2008: The real deadline. ◮ 64 candidates were submitted. ◮ NIST went over them, and identified 51 which satisfied a

minimal set of requirements.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 22/ 46

History First Second Third Timeline Candidates

The First Phase of the SHA-3 Competition

◮ January 2007: NIST announces that a SHA-3

competition will be held. Asks the public for comments.

◮ November 2007: NIST publishes the official rules of the

competition.

◮ August 2008: First submission deadline. ◮ October 2008: The real deadline. ◮ 64 candidates were submitted. ◮ NIST went over them, and identified 51 which satisfied a

minimal set of requirements. Let the games begin!

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 22/ 46

History First Second Third Timeline Candidates

Welcome to the Wild West

Candidate Candidate Candidate Candidate Candidate Abacus ARIRANG AURORA Blake Blender BMW Boole Cheeta CHI CRUNCH CubeHash DCH Dynamic SHA Dynamic SHA2 ECHO ECOH EDON-R Enrupt ESSENCE FSB Fugue Grøstl Hamsi JH KECCAK Khichidi-1 Lane Luffa LUX MCSSHA-3 MD6 MeshHash NaSHA NKS2D SANDstorm Sarmal Sg´ ail Shabal SHAMATA SIMD Skein SHAvite-3 Spectral Hash StreamHash SWIFFTX Tangle TIB3 Twister Vortex WaMM Waterfall

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 23/ 46

History First Second Third Timeline Candidates

What a Break is?

◮ There is an ongoing debate what a broken hash function

is.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 24/ 46

History First Second Third Timeline Candidates

What a Break is?

◮ There is an ongoing debate what a broken hash function

• is. Even from the theoretical point of view.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 24/ 46

History First Second Third Timeline Candidates

What a Break is?

◮ There is an ongoing debate what a broken hash function

• is. Even from the theoretical point of view.

1 Practical. 2 Close to Practical. 3 (Time, Memory) is better then for generic attacks (e.g.,

time-memory tradeoff attacks, birthday attack).

4 Time × Memory is less than required in generic attacks. 5 Money for finding {collision, second preimage, preimage}

in a given time frame is less than for generic attacks.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 24/ 46

History First Second Third Timeline Candidates

What NIST Did?

◮ At that point NIST had 27 broken submissions out of 51. ◮ They discarded the broken ones (24 left). ◮ MD6 was withdrawn (23 left).

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 25/ 46

History First Second Third Timeline Candidates

What NIST Did?

◮ At that point NIST had 27 broken submissions out of 51. ◮ They discarded the broken ones (24 left). ◮ MD6 was withdrawn (23 left). ◮ To further reduce the list of candidates to about 15, they

decided to not select candidates which “has no real chance to be selected as SHA-3”.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 25/ 46

History First Second Third Timeline Candidates

What NIST Did?

◮ At that point NIST had 27 broken submissions out of 51. ◮ They discarded the broken ones (24 left). ◮ MD6 was withdrawn (23 left). ◮ To further reduce the list of candidates to about 15, they

decided to not select candidates which “has no real chance to be selected as SHA-3”.

◮ NIST allowed tweaks (small changes which do not

invalidate previous analysis).

◮ And in July 2009 announced the second round candidates.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 25/ 46

History First Second Third Candidates Process

Outline

1

History of Hash Functions What is a Hash Function The MD/SHA Family of Hash Functions A(n Extremely) Short History of Hash Functions

2

The First Phase of the SHA-3 Competition Timeline The SHA-3 First Round Candidates

3

The Second Round The Second Round Candidates The Second Round Process

4

The Third Round The Finalists Current Performance Estimates Security of the SHA-3 Finalists The Outcome of SHA-3

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 26/ 46

History First Second Third Candidates Process

Welcome to the Second Round

Candidate Candidate Candidate Candidate Candidate Blake BMW CubeHash ECHO Fugue Grøstl Hamsi JH KECCAK Luffa Shabal SHAvite-3 SIMD Skein

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 27/ 46

History First Second Third Candidates Process

The Second Round Process

◮ During the second round, all 14 candidates were analyzed. ◮ Hamsi was the only one that was (marginally) broken. ◮ Distinguishing properties were reported for the full

compression functions of BMW, CubeHash, Grøstl, KECCAK, Luffa, Shabal, SHAvite-3, and SIMD.

◮ These attacks do not scale to the full hash function (at

the moment).

◮ Attacks on almost the full compression functions of

ECHO, Fugue, and Skein were also reported.

◮ JH and Blake were also analyzed.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 28/ 46

History First Second Third Candidates Process

The Second Round Process

◮ During the second round, all 14 candidates were analyzed. ◮ Hamsi was the only one that was (marginally) broken. ◮ Distinguishing properties were reported for the full

compression functions of BMW, CubeHash, Grøstl, KECCAK, Luffa, Shabal, SHAvite-3, and SIMD.

◮ These attacks do not scale to the full hash function (at

the moment).

◮ Attacks on almost the full compression functions of

ECHO, Fugue, and Skein were also reported.

◮ JH and Blake were also analyzed. ◮ Some primitives received less cryptanalytic attention.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 28/ 46

History First Second Third Candidates Process

The Story of Shabal

◮ Shabal was submitted with a security

proof (compression function is secure ⇒ hash function is secure).

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 29/ 46

History First Second Third Candidates Process

The Story of Shabal

◮ Shabal was submitted with a security

proof (compression function is secure ⇒ hash function is secure).

◮ Shabal’s compression function can be

easily distinguished.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 29/ 46

History First Second Third Candidates Process

The Story of Shabal

◮ Shabal was submitted with a security

proof (compression function is secure ⇒ hash function is secure).

◮ Shabal’s compression function can be

easily distinguished.

◮ Shabal’s team fixed the proof.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 29/ 46

History First Second Third Candidates Process

The Story of Shabal

◮ Shabal was submitted with a security

proof (compression function is secure ⇒ hash function is secure).

◮ Shabal’s compression function can be

easily distinguished.

◮ Shabal’s team fixed the proof. ◮ A new distinguishing attack on Shabal⋆

is introduced. Where Shabal⋆ is secure according to the new proof. . .

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 29/ 46

History First Second Third Candidates Process

The Story of Shabal

◮ Shabal was submitted with a security

proof (compression function is secure ⇒ hash function is secure).

◮ Shabal’s compression function can be

easily distinguished.

◮ Shabal’s team fixed the proof. ◮ A new distinguishing attack on Shabal⋆

is introduced. Where Shabal⋆ is secure according to the new proof. . .

◮ Luckily for Shabal — not so easy to

get to Shabal⋆.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 29/ 46

History First Second Third Candidates Process

To Distinguish or Not to Distinguish

Let’s try to define the notion of a distinguisher on a compression/hash function.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 30/ 46

History First Second Third Candidates Process

To Distinguish or Not to Distinguish

Let’s try to define the notion of a distinguisher on a compression/hash function.

◮ You can easily distinguish between h(·) and a random

• racle.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 30/ 46

History First Second Third Candidates Process

To Distinguish or Not to Distinguish

Let’s try to define the notion of a distinguisher on a compression/hash function.

◮ You can easily distinguish between h(·) and a random

• racle.You can do so for all hash functions! (just query 0

as an input).

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 30/ 46

History First Second Third Candidates Process

To Distinguish or Not to Distinguish

Let’s try to define the notion of a distinguisher on a compression/hash function.

◮ You can easily distinguish between h(·) and a random

• racle.You can do so for all hash functions! (just query 0

as an input).

◮ You cannot find two inputs (a, b) that satisfy some

non-trivial relation.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 30/ 46

History First Second Third Candidates Process

To Distinguish or Not to Distinguish

Let’s try to define the notion of a distinguisher on a compression/hash function.

◮ You can easily distinguish between h(·) and a random

• racle.You can do so for all hash functions! (just query 0

as an input).

◮ You cannot find two inputs (a, b) that satisfy some

non-trivial relation.Consider the Print(a, b) set of

• algorithms. . .

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 30/ 46

History First Second Third Candidates Process

To Distinguish or Not to Distinguish

Let’s try to define the notion of a distinguisher on a compression/hash function.

◮ You can easily distinguish between h(·) and a random

• racle.You can do so for all hash functions! (just query 0

as an input).

◮ You cannot find two inputs (a, b) that satisfy some

non-trivial relation.Consider the Print(a, b) set of

• algorithms. . .

◮ Known-key distinguisher approach: It is possible to find a

set of inputs that satisfy some relation in the output, faster than for a random oracle.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 30/ 46

History First Second Third Candidates Process

To Distinguish or Not to Distinguish

Let’s try to define the notion of a distinguisher on a compression/hash function.

◮ You can easily distinguish between h(·) and a random

• racle.You can do so for all hash functions! (just query 0

as an input).

◮ You cannot find two inputs (a, b) that satisfy some

non-trivial relation.Consider the Print(a, b) set of

• algorithms. . .

◮ Known-key distinguisher approach: It is possible to find a

set of inputs that satisfy some relation in the output, faster than for a random oracle.

◮ . . . and if you do not like this name, feel free to use:

pseudo-distinguisher or . . . bananas.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 30/ 46

History First Second Third Candidates Process

Performance Evaluation — Software

◮ Some teams had many people on them. Some not. ◮ All teams submitted C code, but not all submitted

assembler code, or optimized per-platform code.

◮ Some teams supply measurements using method A, some

by using method B, . . .

◮ Some teams supply measurements on a machine type A,

some machine type B, . . .

◮ Some teams used compiler X, some Y, . . . ◮ Some teams had . . .

So how can you compare the speed?!?!?

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 31/ 46

History First Second Third Candidates Process

Performance Evaluation — Software (cont.)

◮ eBASH — An effort to run everything everywhere. 1 Strong points: lots of machines, easy to submit a new

implementation.

2 Weak points: still someone needs to implement, takes

time for new implementations to be measured, some measurements are inconsistent.

3 Measurement method can be “attacked”: submit a hash

function with a message block size of 16,000 bytes.

◮ sphlib — An effort to implement everything by one guy

(without using per-CPU optimization) in C.

1 Strong point: portable code is sometimes important. 2 Weak points: based on a one-man show (who is actually

a submitter of Shabal), why not to use per-CPU

• ptimizations? why only C?

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 32/ 46

History First Second Third Candidates Process

eBASH — A Glimpse

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 33/ 46

History First Second Third Candidates Process

eBASH — A Glimpse (cont.)

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 34/ 46

History First Second Third Candidates Process

Performance Evaluation — Hardware

◮ Less people working on hardware implementation. ◮ More optimization targets (throughput vs. size vs. energy

consumption)

◮ More technologies (ASIC vs. FPGA). ◮ Less common to share the “code”.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 35/ 46

History First Second Third Finalists Performance Security Outcome

Outline

1

History of Hash Functions What is a Hash Function The MD/SHA Family of Hash Functions A(n Extremely) Short History of Hash Functions

2

The First Phase of the SHA-3 Competition Timeline The SHA-3 First Round Candidates

3

The Second Round The Second Round Candidates The Second Round Process

4

The Third Round The Finalists Current Performance Estimates Security of the SHA-3 Finalists The Outcome of SHA-3

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 36/ 46

History First Second Third Finalists Performance Security Outcome

SHA-3 Finalists

In December 2010, NIST have selected five finalists for the SHA-3 competition:

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 37/ 46

History First Second Third Finalists Performance Security Outcome

SHA-3 Finalists

In December 2010, NIST have selected five finalists for the SHA-3 competition:

1 BLAKE 2 Grøstl 3 JH 4 KECCAK 5 Skein

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 37/ 46

History First Second Third Finalists Performance Security Outcome

The SHA-3 Finalists

◮ Each of the five finalists has different design

methodology:

◮ Narrow pipe (Haifa/UBI): BLAKE and Skein, ◮ Double pipe: Grøstl and JH, ◮ Sponge: KECCAK

◮ Each of them relies on different “security” mechanisms:

◮ ARX: BLAKE, KECCAK, and Skein, ◮ S-boxes: Grøstl and JH Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 38/ 46

History First Second Third Finalists Performance Security Outcome

Software Performance — eBASH

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 39/ 46

History First Second Third Finalists Performance Security Outcome

The eXtenral Benchmarking eXtension Project

◮ 8-bit platforms are not as extinct as many people believe

them to be . . .

◮ The new SHA-3 would need to run on these platforms as

well.

◮ The XBX project aims at being the eBASH extension to

the 8-bit microcontrollers world.

◮ In general, Blake, Skein, and KECCAK are leading in

performance.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 40/ 46

History First Second Third Finalists Performance Security Outcome

The Security of the SHA-3 Finalists

◮ Of the 5 finalists, two have distinguishing properties for

the full “compression” function:

1 KECCAK (a zero sum distinguisher, in time complexity

• f 21579),

2 JH (a rebound distinguisher, in time complexity of 2304). ◮ While they somewhat invalidate the security proofs of JH

and KECCAK, none of these attacks are considered as a real threat to the underlying hash functions.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 41/ 46

History First Second Third Finalists Performance Security Outcome

The Security of the SHA-3 Finalists (cont)

Best known attacks against the finalists at the moment:

Candidate Collision 2nd Preimage Preimage Distinguishing Blake (14–16 rounds) 5⋆ 2.5 2.5 8–10 Grøstl (10–14 rounds) 3/6⋆ — — 9–10 JH (42 rounds) 16 ⋆ — — 42 KECCAK (24 rounds) 4 6–8 3 24 Skein (72–80 rounds) — 37 37 34

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 42/ 46

History First Second Third Finalists Performance Security Outcome

SHA-3 — My Guess

Things which will label this entire thing as a waste of resources:

◮ Selecting something which offers less security than

“optimal”.

◮ Selecting something much slower than SHA. ◮ If performance requirements much larger than SHA.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 43/ 46

History First Second Third Finalists Performance Security Outcome

SHA-3 — My Guess

Things which will label this entire thing as a waste of resources:

◮ Selecting something which offers less security than

“optimal”.

◮ Selecting something much slower than SHA. ◮ If performance requirements much larger than SHA.

In other words, NIST will pick the fastest secure-enough SHA-3 finalist.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 43/ 46

History First Second Third Finalists Performance Security Outcome

SHA-3 — The True Waste of Effort

◮ SHA-3 took quite a lot of effort — analysis and

implementation.

◮ Many cryptanalysts spent a lot of time designing their

• wn submission.

◮ Then, they worked hard on breaking other SHA-3

candidates.

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 44/ 46

History First Second Third Finalists Performance Security Outcome

SHA-3 — The True Waste of Effort

◮ SHA-3 took quite a lot of effort — analysis and

implementation.

◮ Many cryptanalysts spent a lot of time designing their

• wn submission.

◮ Then, they worked hard on breaking other SHA-3

candidates.

◮ Hence, little time to work on SHA-1/SHA-2 . . .

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 44/ 46

History First Second Third Finalists Performance Security Outcome

SHA-3 — The True Waste of Effort

◮ SHA-3 took quite a lot of effort — analysis and

implementation.

◮ Many cryptanalysts spent a lot of time designing their

• wn submission.

◮ Then, they worked hard on breaking other SHA-3

candidates.

◮ Hence, little time to work on SHA-1/SHA-2 . . . ◮ What if this is all a scheme to make cryptanalysts work

hard to extend SHA-1/2’s lifetime?

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 44/ 46

History First Second Third Finalists Performance Security Outcome

The Current State of Affairs

Hash Collisions 2nd Preimage Preimage MD4 By hand 2102 2102 MD5 216 ≈ 2124 ≈ 2124 SHA-0 (80 rounds) 239 up to 52 rounds up to 52 rounds SHA-1 (80 rounds) 257–269 up to 48 rounds up to 48 rounds SHA-256 (64 rounds) up to 27 rounds up to 43 rounds up to 43 rounds SHA-512 (80 rounds) up to 24 rounds up to 46 rounds up to 46 rounds

SHA-3: To be Selected in August 2012. . .

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 45/ 46

History First Second Third Finalists Performance Security Outcome

Questions? Thank you for your Attention!

Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 46/ 46